A certificate-based signature,
like a conventional handwritten signature, identifies the person
signing a document. Unlike a handwritten signature, a certificate-based
signature is difficult to forge because it contains encrypted information that
is unique to the signer. It can be easily verified and informs recipients whether
the document was modified after the signer initially signed the document.

To sign a document with a certificate-based signature, you must
obtain a digital ID or create a self-signed digital ID in Acrobat
or Adobe Reader. The digital ID contains
a private key and a certificate with a public key and more. The
private key is used to create the certificate-based signature. The
certificate is a credential that is automatically applied to the
signed document. The signature is verified when recipients open
the document.

When you apply a certificate-based signature, Acrobat uses a hashing algorithm to generate
a message digest, which it encrypts using your private key. Acrobat
embeds the encrypted message digest in the PDF, certificate details, signature
image, and a version of the document when it was signed.

Certificate-based signature in a PDF form

Certifying and signing documents

The Sign > Work with Certificates panel lets you apply
two types of certificate-based signatures. You can certify a document
attest to its content or approve a document with the Sign With Certificate
option.

Certify

Certify options provide a higher level of document control
than Sign With Certificate. For documents that require certification,
you must certify the documents before others sign them. If a document
has already been signed, the Certify options are disabled. When
you certify a document, you can control the types of changes other
people can make. You can certify with or without displaying a signature.

Sign With Certificate

When you sign with a certificate, the signature is considered
an approval signature.

Signatures made with the Certify or Sign With Certificate options
comply with data protection standards specified by the European
Telecommunications Standards Institute (ETSI). In addition,
both signature types comply with the PDF Advanced Electronic Signature
(PAdES) standard. Acrobat and Reader provide an option to change
the default signing format to a CAdES format. This option is compliant
with Part 3 of the PAdES standard. The timestamp capability and native
support for long-term validation of signatures (introduced in Acrobat
9.1) is in compliance with Part 4 of the PAdES standard. The default
signing format, when set up accordingly, is compliant with Part
2 of the PAdES standard. You can change the default signing method
or format, in the Signatures panel of the Preferences dialog box.
Under Creation & Appearance, click More.

Setting up certificate-based signatures

You can expedite the signing process and optimize your
results by making the following preparations in advance.

Note:

Some situations require using particular digital IDs for signing. For example, a corporation or government agency can require individuals to use only digital IDs issued by that agency to sign official documents. Inquire about the digital signature policies of your organization to determine the appropriate source of your digital ID.

Get a digital ID from your own organization, buy a digital ID (see the Adobe website for security partners), or create a self-signed one. See Create a self-signed digital ID. You can’t apply a certificate-based signature without a digital id.

Use Preview Document mode to suppress any dynamic content that can alter the appearance of the document and mislead you into signing an unsuitable document. For information about using the Preview Document mode, see Sign in Preview Document mode.

Review all the pages in a document before you sign. Documents can contain signature fields on multiple pages.

Configure the signing application. Both authors and signers should configure their application environment. (See Set signing preferences.)

Choose a signature type. Learn about approval and certification signatures to determine the type you should choose to sign your document. (See Signature types.)

Set signing preferences

Signing workflow preferences control what you can see and do when the signing dialog box opens. You can allow certain actions, hide and display data fields, and change how content affects the signing process. Setting signing preferences impacts your ability to see what you are signing. For information on the available signing preferences, see “Signing Workflow Preferences” in the Digital Signature Guide at www.adobe.com/go/learn_acr_security_en.

Customizing signature workflows
using seed values

Seed values offer additional
control to document authors by letting them specify which choices
signers can make when signing a document. By applying seed values
to signature fields in unsigned PDFs, authors can customize options
and automate tasks. They can also specify signature requirements
for items such as certificates and timestamp servers. For more information
about customizing signatures using seed values, see the Digital Signature Guide (PDF)
at www.adobe.com/go/learn_acr_security_en.

Create the appearance of a certificate-based
signature

You determine the look of your certificate-based signature by selecting options in the Signatures panel of the Preferences dialog box. For example, you can include an image of your handwritten signature, a company logo, or a photograph. You can also create different signatures for different purposes. For some, you can provide a greater level of detail.

A signature can also include information that helps others verify your signature, such as the reason for signing, contact information, and more.

Signature formats

A. Text signature B. Graphic
signature

(Optional) If you want to include an image of
your handwritten signature in the certificate-based signature, scan
your signature, and save it as an image file. Place the image in
a document by itself, and convert the document to PDF.

Right-click the signature field, and select Sign Document or Certify With Visible Signature.

From the Appearance menu in the Sign dialog box, select Create New Appearance.

In the Configure Signature Appearance dialog box, type
a name for the signature you’re creating. When you sign, you select
the signature by this name. Therefore, use a short, descriptive
title.

For Configure Graphic, choose an option:

No Graphic

Displays only the default icon and other information
specified in the Configure Text section.

Imported Graphic

Displays an image with your certificate-based signature. Select
this option to include an image of your handwritten signature. To
import the image file, click File, click Browse, and then select
the image file.

Name

Displays only the default signature icon and your name
as it appears in your digital ID file.

For Configure Text, select the options that you want
to appear in the signature. Distinguished Name shows the user attributes
defined in your digital ID, including your name, organization, and
country.

(Optional) If the dialog box includes the Additional
Signature Information section, specify the reason for signing the
document, the location, and your contact information. These options
are available only if you set them as your preferences in the Creation
and Appearance Preferences dialog box (Edit > Preferences >
Signatures > Creation & Appearance > More).

Set up a roaming ID account

A roaming ID is
a digital ID that is stored on a server and can be accessed by the subscriber.
You must have an Internet connection to access a roaming ID and
an account from an organization that supplies roaming digital IDs.

Type your user name and password or follow the directions
to create an account. Click Next, and then
click Finish.

Once the roaming ID is added, it can be used for signing
or encryption. When you perform a task that uses your roaming ID,
you’re automatically logged in to the roaming ID server if your
authentication assertion hasn’t expired.

PKCS#12 modules and tokens

You can have multiple digital IDs that you use for different
purposes, particularly if you sign documents in different roles
or using different certification methods. Digital IDs are
usually password protected. They can be stored on your computer in
PKCS #12 file format. Digital IDs can also
be stored on a smart card, hardware token, or in the Windows certificate
store. Roaming IDs can be stored on a server. Acrobat includes a default signature
handler that can access digital IDs from various locations. Register
the digital ID in Acrobat for it to be available
for use.

Store certificates on directory
servers

Directory
servers are commonly used as centralized repositories of identities within
an organization. The server acts as an ideal location to store user
certificates in enterprises that use certificate encryption. Directory
servers let you locate certificates from network servers, including Lightweight
Directory Access Protocol (LDAP) servers. After you
locate a certificate, you can add it to your list of trusted identities
so that you don’t have to look it up again. By developing a storage
area for trusted certificates, you or a member of your workgroup
can facilitate the use of encryption in the workgroup.

Import directory server settings
(Windows only)

You import directory server settings using
security import/export methodology or a security settings file.
Before, you import settings in a file using import/export methodology,
ensure that you trust the file provider before opening it.

Open the Preferences dialog
box.

Under Categories, select Signatures.

For Document TimeStamping, click More.

Select Directory Servers on the
left, and then click Import.

Select the import/export methodology file, and click Open.

If the file is signed, click the Signature
Properties button to check the current signature status.

Click Import Search Directory Settings.

Click OK, if prompted, to confirm your choice.

The directory server appears in the Security
Settings dialog box.

Export directory server settings
(Windows only)

Although it is preferable to export security
settings, you can export directory settings as an import/export
methodology file. Use the file to configure the directory server
on another computer.

Add a timestamp to certificate-based
signatures

You can include the date
and time you signed the document as part of your certificate-based
signature. Timestamps are easier to verify when they are associated
with a trusted timestamp authority certificate. A timestamp helps
to establish when you signed the document and reduces the chances
of an invalid signature. You can obtain a timestamp from a third-party
timestamp authority or the certificate authority that issued your
digital ID.

Timestamps appear in the signature field and in
the Signature Properties dialog box. If a
timestamp server is configured, the timestamp appears in the Date/Time tab
of the Signature Properties dialog box. If
no timestamp server is configured, the signatures field displays
the local time of the computer at the moment of signing.

Note:

If
you did not embed a timestamp when you signed the document, you
can add one later to your signature. (See Establish
long-term signature validation.) A timestamp applied after
signing a document uses the time provided by the timestamp server.

Configure a timestamp server

To configure a timestamp server, you need
the server name and the URL, which you can obtain from an administrator
or a security settings file.

If you have a security settings
file, install it and don’t use the following instructions for configuring
a server. Ensure that you obtained the security settings file from
a trusted source. Don’t install it without checking with your system
administration or IT department.

Open the Preferences dialog
box.

Under Categories, select Signatures.

For Document Timestamping, click More.

Select Time Stamp Servers on the
left.

Do one of the following:

If you have an import/export methodology file with the timestamp server settings, click the Import button . Select the file, and click Open.

If you have a URL for the timestamp server, click the New button . Type a name, and then type the server URL. Specify whether the server requires a username and password, and then click OK.

Set a timestamp server as the default

To be able to use a timestamp server to timestamp
signatures, set it as the default server.

Open the Preferences dialog
box.

Under Categories, select Signatures.

For Document Timestamping, click More.

Select Time Stamp Servers on the
left.

Select the timestamp server, and click the Set
Default button .

Click OK to confirm your selection.

Adobe LiveCycle Rights Management
(ALCRM) servers

Adobe LiveCycleRights
Management (ALCRM) servers let you define centralized policies
to control access to documents. The policies are stored on the ALCRM server.
You require server access to use them.